Threat actors (TAs) using built-in data exfiltration methods like LOLBAS negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms. These methods can also hide within the general operating environment, providing subversion to the threat actor.
For example, PS scripting is often used within a typical Windows environment. When TAs want to hide in plain sight, PS code is often a go-to. Early in 2023, the Unit 42 IR team found the Vice Society ransomware gang using a script named w1.ps1 to exfiltrate data from a victim network.
Read more…
Source: Palo Alto Unit 42